How to secure and protect SSH Server

To secure and protect SSH Server

Secure Shell (SSH) connects local or remote Linux servers to transfer files and backups using scp or sftp. The servers connect over secured network on secured channel.


DenyHosts

Deny hosts blocks the IP address and prevents access to the server. It is written in python language. Deny hosts is executede by the Linux system administrator to monitor the user logs failed attempts called as brute force attacks and dictionary based attacks.

Features

  • Sending email notification
  • Tracks all failed login attempts by user and offending host
  • Maintains valid and invalid failed user login attempts.
[root@linuxhelp~]# yum install &ndash enablerepo=epel denyhosts
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos.webwerks.com
* epel: ftp.cuhk.edu.hk
* extras: centos.webwerks.com
* updates: centos.webwerks.com
Resolving Dependencies
-->  Running transaction check
--->  Package denyhosts.noarch 0:2.6-20.el6 will be installed
&hellip 
&hellip 
&hellip 
Installed:
denyhosts.noarch 0:2.6-20.el6
Complete!

Open the hosts.allow configuration file.

[root@linuxhelp~]# vim /etc/hosts.allow

Add the client IP in this file.

sshd:   192.168.5.224
[root@linuxhelp~]# vim /etc/denyhosts.conf

Edit the file as per your requirement or proceed with the default configuration.
Once the configuration is complete, restart the service.

[root@linuxhelp ~]# service denyhosts restart
[root@linuxhelp ~]# tail -f /var/log/secure
Mar 21 12:00:36 linuxhelp sshd[26591]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Mar 21 12:00:43 linuxhelp sshd[26594]: Received disconnect from 192.168.5.224: 11: disconnected by user
Mar 21 12:00:43 linuxhelp sshd[26591]: pam_unix(sshd:session): session closed for user user1
Mar 21 12:25:44 linuxhelp sshd[26221]: Received disconnect from 192.168.5.69: 11: disconnected by user
Mar 21 13:12:35 linuxhelp sshd[27269]: Accepted password for user1 from 192.168.5.224 port 36623 ssh2
Mar 21 13:12:35 linuxhelp sshd[27269]: pam_unix(sshd:session): session opened for user user1 by (uid=0)
Mar 21 13:12:49 linuxhelp sshd[27295]: refused connect from 192.168.5.69 (192.168.5.69)

Now login from 192.168.5.224 IP, you can access through SSH. If you access from other IP, the following error appears.

[root@linuxhelp ~]# ssh user1@192.168.5.220
ssh_exchange_identification: Connection closed by remote host

To allow the respective IP without blocking from any filters, enter the IP in /var/lib/denyhosts/allowed-hosts.

[root@linuxhelp ~]# vim /var/lib/denyhosts/allowed-hosts


Fail2Ban

Fail2Ban is an intrusion prevention open source. Fail2Ban scans var/log/auth.log, /var/log/secure, /var/log/pwdfail and checks for intruders. It bans the IP address for particular period of time. It is written in Python language.

Features

  • Monitoring log files
  • Runs scripts
  • Highly configurable.

Run the following command to install fail2ban.

[root@linuxhelp ~]# yum install fail2ban
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: centos.excellmedia.net
* epel: ftp.cuhk.edu.hk
* extras: centos.excellmedia.net
* updates: centos.excellmedia.net
Resolving Dependencies
-->  Running transaction check
--->  Package fail2ban.noarch 0:0.9.3-1.el6.1 will be installed
&hellip 
&hellip 
&hellip 
Installed:
fail2ban.noarch 0:0.9.3-1.el6.1
Complete!

Rename the original file as jail.local

[root@linuxhelp ~]# cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the jail.local file to allow IP and IP-tables.

[root@linuxhelp ~]# vim /etc/fail2ban/jail.local

Add the following lines into the config file.

ignoreip = 192.168.5.224

[ssh-iptables]
enable=true
filter=sshd
action=iptables[name=SSH, port=ssh, protocol=tcp]
logpath=/var/log/secure
maxretry=3

Restart the service and then view the log file.

[root@linuxhelp ~]# service fail2ban restart
[root@linuxhelp ~]# cat /var/log/secure | grep ' Failed password'  | sort | uniq -c
1 Mar 21 11:12:53 linuxhelp sshd[25999]: Failed password for root from 192.168.5.69 port 34989 ssh2
1 Mar 21 11:12:59 linuxhelp sshd[25999]: Failed password for root from 192.168.5.69 port 34989 ssh2
1 Mar 21 11:14:47 linuxhelp sshd[26051]: Failed password for root from 192.168.5.224 port 56295 ssh2

If you try to login from other IP except the IP in config file, the following error appears.

[root@linuxhelp ~]# ssh user1@192.168.5.220
ssh:connect to host 192.168.5.220: Connection refused


Display SSH Banner

Display SSH Banner helps to display welcome messages to authorised users and the ssh warning messages to unauthorised users.

To display contents before login, edit issue.net file

[root@linuxhelp ~]# vim /etc/issue.net

Just enable the line in sshd_config file, starting with Banner and restart the sshd service.

[root@linuxhelp ~]# vim /etc/ssh/sshd_config
[root@linuxhelp ~]# service sshd restart

To display banner after logged into machine, add the contents in motd file.

[root@linuxhelp ~]# vim /etc/motd


Disable Root Login

SSH remote logins are pre-configured, the users can log in and gain root access directly. The best option is to disable root login and log into different account. sudo or su commands can be used to gain root access when it is required.

[root@linuxhelp ~]# vim /etc/ssh/sshd_config

In this file uncomment the permit root login line and give no to value and restart the service

[root@linuxhelp ~]# service sshd restart


SSH Passwordless Login

It creates a trust between two Linux servers without asking for a password which makes file transfer easier.

Features

  • File transfer
  • Remote scripting execution
  • Remote script management
  • Remote automated backups.
root@linuxhelp:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
&hellip 
&hellip 
&hellip 
Key will be generated!!!

Copy the generated key to the server machine

root@linuxhelp:~# ssh-copy-id root@192.168.5.220

Once the key is copied to server. it will not ask for the password.

root@linuxhelp:~# ssh root@192.168.5.220

Now the server machine is logged in without using the password.

FAQ
Q
What are all the features to secure and protect SSH Server?
A
Sending email notification
Tracks all failed login attempts by user and offending host
Maintains valid and invalid failed user login attempts.
Q
Whether SSH server is available for the windows?
A
No, ssh not available for windows
Q
Dropbear is an alternative for SSH server?
A
Dropbear is a relatively small open source SSH 2 server. It runs on a variety of POSIX-based platforms.
Q
how too make the password less login on ssh server?
A
Generate the ssh key for the client machine by using the follwing command "ssh-keygen", Then adding Copy the generated key to the server machine. Once the key is copied to server. it will not
Q
How to install the ssh server on Ubuntu?
A
Execute the command as follows "apt-get install openssh-server"